2022.11.14 16:12:34 (1592173650391994369) from Daniel J. Bernstein:
New paper "Multi-ciphertext security degradation for lattices" identifies several gaps in provable-security claims for lattice systems, and drives attacks through those gaps. https://cr.yp.to/papers.html#lprrr The easy part is disproving FrodoKEM's still-not-withdrawn "large margin" claim.
2022.11.14 16:24:28 (1592176647922679810) from Daniel J. Bernstein:
The hard part is showing that, under the (shaky!) heuristics used today to claim lattice security levels, the error distributions in New Hope and Kyber allow an asymptotically faster attack breaking one out of many ciphertexts, contrary to a (flawed!) proof claim at ACM CCS 2021.
2022.11.14 16:36:48 (1592179750461923329) from Daniel J. Bernstein:
Quantifying the impact on Kyber-512 would be even harder than quantifying the cost of single-target attacks against Kyber-512, which in turn is an unstable, challenging research topic. NIST is grossly misleading users when it labels Kyber's 2020 security analysis as "thorough".